Abstract: Unsupervised anomaly detection can’t detect a massive attack in bursts.In order to solve this problem，this paper proposes a unsupervised anomaly detection model based on clustering.It chooses clustering result from multi-clusters which has the minimum DB index，applies minimum intra-cluster distance and maximum intra-cluster distance to classify every cluster，then identifies attacks.Experimental results show that the proposed strategy can improve obviously detection rate and decrease false positive rate.

Key words: unsupervised anomaly detection, K-means algorithm, Davies-Bouldin index, intra-cluster distance

摘要： 为了解决无监督异常检测方法无法检测突发性的大规模攻击的问题，提出了一种基于聚类的无监督异常检测模型，该模型从多个聚类器中选取DB指数最小的分簇结果，并利用最小簇内距离、最大簇内距离对每个簇进行分类，从而识别出攻击。实验表明该模型明显提高了检测率、降低了误报率。

关键词: 无监督异常检测, K均值算法, DB指数, 簇内距离